Businesses all over the world face various criminal threats, including money laundering, terrorism financing, and identity theft. If businesses fall victim to these crimes, they may also face stiff penalties from regulators—compounding the financial and reputational losses already incurred. That’s why it’s critical to implement effective fraud prevention methods, which brings us to KYC.
To filter out fraudsters and prevent money laundering, businesses implement Know Your Customer (KYC) checks. This process is aimed at identifying and verifying clients before commencing a business relationship. However, to do this properly, businesses should know what information and documents to collect, as well as the particular steps of the verification process. We’ve put together this KYC guide to help you sort this all out.
What are KYC checks?KYC checks aim to collect and verify information provided by clients. The procedure is required by a variety of regulations, such as those provided by the Financial Action Task Force and the EU’s 4th and 5th AMLDs.
During the onboarding process, KYC checks usually consist of the following steps:
- identification—the process of acquiring the client’s personal data;
- liveness check—the process of determining whether the client is a real person. The procedure takes place during remote checks;
- verification—the process of cross-comparing personal data with government-issued documents or information obtained from a reliable source independent of the customer;
- address verification—the process of determining whether the client comes from their claimed region.
A full explanation of the differences between identification, verification, and authentication can be found here.
After completing the steps above, businesses should continue monitoring their clients’ profiles and transactions. If they notice suspicious activity, it must be reported to a specially designated institution. For instance, UK businesses have to report suspicious activities to the UK National Crime Agency (NCA).
Businesses also have to keep records of all collected information for a certain amount of time, as specified by the relevant jurisdiction (usually five years).
Which KYC documents are required?
To identify a client, at minimum the following information must be collected:
- date of birth;
Additional information should be collected depending on the requirements of a given jurisdiction. For example, in the US, businesses ask for a tax identification number for US citizens or an identification number for non-U.S. persons.
Information submitted by clients should be verified against government-issued documents—or against information obtained from an independent and reliable source—to ensure the customer has not provided false or stolen identification documents or incorrect information.
Usually, businesses must also verify the document’s digital authenticity. This means checking for:
- presence of optical security features (e.g., holograms);
- absence of traces of tampering;
- photo on ID that belongs to the client.
Businesses may use either manual or automatic approaches to verifying these documents. The manual approach can slow down the process of verification, since customers can often provide a large amount of data—and processing it ‘by hand’ takes time. Moreover, the human eye may be unable to spot today’s forged documents, which are growing increasingly advanced. In comparison, the automated approach uses a combination of verification procedures which compare documents against various open data sources and check for graphic modification. This significantly increases pass rates, speeds up onboarding, and brings down associated costs by 43%.
Additional technical means of verification
The purpose of identification and verification is to link the customer to the identity provided and to verify that this person is indeed who they claim to be. This is done through one or a combination of the following technical means:
- video identification and verification;
- reading NFC chips on the identity document;
- liveness check and face match.
The means by which verification is performed depends on the jurisdiction and/or company policy. For instance, in Germany, regulated businesses are required to carry out video identification to onboard their clients remotely.
Screening and monitoring
Businesses need to screen customers against sanction lists, watchlists, Politically Exposed Persons (PEPs) lists, and other relevant sources.
Ongoing monitoring is obligatory since a сustomer’s profile could change throughout the course of a business relationship. If, for instance, compromising information is unearthed about the customer during this process, additional due diligence measures should be implemented.
Customer Due Diligence
Customer Due Diligence (CDD) refers to the measures that businesses take to assess the money laundering and terrorism financing risks of a given customer. Like KYC, CDD involves collecting and verifying information on clients to mitigate the risks of money laundering and financing of terrorism. Accordingly, the CDD process involves:
- identifying the customer;
- identifying the beneficial owner, where relevant, and verifying their identity;
- assessing and, where appropriate, obtaining information on the purpose and intended nature of the business relationship or transaction.
A customer’s risk level may increase or decrease based on a variety of risk factors related to their geography and the particular products, services, transactions or delivery channels risk. Where a customer is assessed as carrying a higher risk, it will be necessary to seek additional information in respect of the customer, depending on the product sought. This procedure is called Enhanced Due Diligence.
It should be noted that not all high-risk clients are automatically involved in criminal activities; rather, they indicate higher risk factors that warrant closer attention.
Businesses need to retain the receipts and records of transactions, as well as the identity information of their clients. The retention period varies depending on the country. For example, Canada requires businesses to keep the record of their clients for five years, while in Austria the period is ten years.